0
0
Djangoframework~20 mins

DRF permissions in Django - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
DRF Permissions Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this permission check?
Given this Django REST Framework view permission setup, what will be the response status code if an unauthenticated user tries to access the view?
Django
from rest_framework.permissions import IsAuthenticated
from rest_framework.views import APIView
from rest_framework.response import Response

class MyView(APIView):
    permission_classes = [IsAuthenticated]

    def get(self, request):
        return Response({'message': 'Hello, authenticated user!'})
A401 Unauthorized error
B403 Forbidden error
C500 Internal Server Error
D200 OK with message 'Hello, authenticated user!'
Attempts:
2 left
💡 Hint
Think about what happens when a user is not logged in and the view requires authentication.
📝 Syntax
intermediate
2:00remaining
Which option correctly applies multiple permissions in DRF?
You want to require that a user is authenticated and also has admin rights. Which of these permission_classes declarations is syntactically correct and will enforce both permissions?
Apermission_classes = {IsAuthenticated, IsAdminUser}
Bpermission_classes = IsAuthenticated & IsAdminUser
Cpermission_classes = (IsAuthenticated, IsAdminUser)
Dpermission_classes = [IsAuthenticated, IsAdminUser]
Attempts:
2 left
💡 Hint
Remember that permission_classes expects a list or tuple of permission classes.
🔧 Debug
advanced
2:00remaining
Why does this custom permission always deny access?
Examine this custom permission class. Why does it always deny access even for authenticated users?
Django
from rest_framework.permissions import BasePermission

class IsOwner(BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.user == obj.owner:
            return True
        return False
ABecause the class is missing an __init__ method
BBecause request.user is never equal to obj.owner
CBecause the method lacks a return False for the else case, so it returns None which is treated as False
DBecause BasePermission requires has_permission method to be defined
Attempts:
2 left
💡 Hint
Think about what happens if the if condition is false and no return statement is given.
state_output
advanced
2:00remaining
What is the value of `permission_granted` after this check?
Given this code snippet, what will be the value of the variable permission_granted after calling the permission check?
Django
from rest_framework.permissions import IsAuthenticated

class DummyRequest:
    def __init__(self, user):
        self.user = user

class DummyUser:
    def __init__(self, is_authenticated):
        self.is_authenticated = is_authenticated

request = DummyRequest(DummyUser(is_authenticated=False))
permission = IsAuthenticated()
permission_granted = permission.has_permission(request, None)
AFalse
BTrue
CRaises AttributeError
DNone
Attempts:
2 left
💡 Hint
Check how IsAuthenticated checks the user property.
🧠 Conceptual
expert
3:00remaining
Which permission class combination enforces read-only for all but write access only for owners?
You want a view where anyone can read data, but only the owner of an object can update or delete it. Which combination of permission classes and methods achieves this behavior correctly?
AUse IsAdminUser for all requests and override has_permission to check ownership
BUse IsAuthenticatedOrReadOnly and a custom IsOwner permission in has_object_permission to allow writes only for owners
CUse AllowAny and check ownership in the serializer's save method
DUse IsAuthenticated and override get_queryset to filter only owner objects
Attempts:
2 left
💡 Hint
Think about how to allow everyone to read but restrict writes to owners.